Security managers warned to address employees flouting rules

Too many companies leave themselves vulnerable to employees’ ignorance or purposeful flouting of the rules when it comes to information security, suggests a survey conducted by (ISC)2. Focused on the “basics’ of policy management, the survey revealed that organizations are becoming confident in their ability to comply with the policies and procedures set out to secure their organizations. Analysis of the results, however, reveal education efforts to be immature, with most concerns relating to accountability and company-wide understanding of what is required.

The survey questioned 737 information security professionals last month about their organisation’s efforts in policy and awareness management. A great majority, 80 percent, said their company’s ability to comply with security policy was satisfactory, good or very good, leaving only 20 percent saying they were dissatisfied. However, this confident stance was tempered by concerns from nearly half of the respondents over a lack of training (48 percent) and poor employee understanding of policy (46 percent); a lack of defined accountability (42 percent); and an unsupportive company culture (48 percent).

These obstacles to compliance with policy were cited by significantly more respondents than other issues of traditional concern, including a lack of budget, which only 22 percent were concerned about, and the ability to procure the latest technology, which concerned only 19 percent of respondents.

When asked whether their organizations tracked security policy, the majority of respondents, 63 percent, said yes, and a similar number, 60 percent, identified that there were sanctions for non-compliance, while only two percent felt that those sanctions were understood company-wide. The survey also queried efforts to educate employees about policies and expectations. The bulk of the efforts to educate employees formally were said to be online, with 56 percent of respondents identifying this method, while 35 percent are using an employee newsletter, and 35 percent said expectations were written into employee contracts. Only a quarter reported in-person training programs. A significant number are identifying the need to manage data, with 72 percent reporting they had a data classification policy, which according to Colley, is a first step toward understanding the human challenges ahead.

Results of the survey are to be analysed fully as part of the business education seminar, “Are We Getting the Basics Right”, with John Colley at Infosecurity Europe 2009, 10 a.m. in the Business Strategy Theatre on Thursday, April 30.